This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 13%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED6%3C/text%3E%3C/svg%3E)
Our setup & issue
We're using terraform to manage infrastructure. When trying to create a Azure Key Vault with enable_rbac_authorization set to true, terraform silently succeeds however the permission model is set to Vault Access Policy . On subsequent requests terraform errors out because it is not able to configure rbac on the key vault.
│ Error: updating Key Vault (Subscription: "XXXXXXX"
│ Resource Group Name: "YYYYY"
│ Key Vault Name: "SSSSSS"): vaults.VaultsClient#Update: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InsufficientPermissions" Message="Caller is not allowed to change permission model. For more information on how to change the permissions model follow this link: https://go.microsoft.com/fwlink/?linkid=2155160. Details: name=MY_EMAIL_ADDRESS; oid=SOME-UID; action=Microsoft.Authorization/roleAssignments/write; resource=/subscriptions/XXXXXXX/resourcegroups/YYYYY/providers/Microsoft.KeyVault/vaults/SSSSSS; decision=NotAllowed; "
I was also unable to change the permission model via the Azure UI and got a similar error with code InsufficientPermissions.
I have the owner role assigned for subscription XXXXXXX. But that wasn't sufficient. To make it work, we had to remove all the roles under "Allow all except specific roles", which included
What is the least privileged configuration to make this work ? I expect to be able to create User Managed Identities for resources within the subscription and assign roles to them. With the exception of terraform, no other resource needs to be able to assign roles themselves.
May this article help you
https://azuretechinsider.com/key-vault-access-policy-to-rbac-migration-lessons-learnt/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Hi @dax-6615
Thank you for reaching US!
I suggest you go through the below documents
Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
Migrate from vault access policy to an Azure role-based access control permission model
Assign a Key Vault access policy (legacy)